Muddy Water Suspected For Espionage

In Uncategorized by Jeff Pelliccio

Muddy Water is a suspected Iranian advanced persistent threat group who targets primarily the Middle East and South East Asia for espionage purposes whose targets also include India, Pakistan and the United States.

Over the last year the group has been quite active, however their tactics have not changed across their cyber campaign which allows us to track them effectively. In their most recent attempt the document named “President.doc” impersonates the Islamic Public of Afghanistan, it was recently submitted to Virustotal and based on metadata and contents of the document, created on September 5th2018.

Muddy Waters Persistent Threat Group

Similarly to past decoy documents, Muddy Water implements social engineering tactics to persuade the user to enable document macros which further infect the victim.

When the user enables the content, Visual Basic for Application code runs, which creates several files on the host machine.

C:\ProgramData\OfficeService.html –> INF File

C:\ProgramData\OfficeService.ini –> encoded PowerShell script

C:\ProgramData\ –> encoded JavaScript file


The files along with the macro code is typically heavily obfuscated to deter analysis but the files, just as with its predecessors utilize Daniels Bohannon’s obfuscation framework to encode the dropped artifacts. The process is easily reversed using the PowerShell Debugger.

In summary when the malware is executed it provides previously seen functionality such as;

  • Drop files to the file system
  • Query the host for system information
  • Modify Visual Basic settings
  • Modify Office Macro security settings
  • Employs sleep timers
  • Checked if process is being debugged
  • Complies C# or code
  • Command support such as Restart / Shutdown

The malware will also create a scheduled task and registry hooks to remain persistent on the host machine in the event of a system restart.

Scheduled Task:

C:\Windows\system32\schtasks.exe’ /Create /F /SC DAILY /ST 12:00 /TN MicrosoftOfficeService /TR ‘c:\\windows\\system32\\rundll32.exe advpack.dll,LaunchINFSection C:\\ProgramData\\OfficeService.html,OfficeService,1,’

Registry Run Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeService

Similarly to previous examples of this threat, the malware then calls out to a series of compromised hosts such as worthhappiness[.]comand marcel-delhez[.]euthat act as a proxy to conceal the address of the real command and control server.

In this attack we were unable to uncover the initial threat infection vector but in recent campaigns spear-phishing were used and is a likely component in this attack. Although social engineering does play a role parties should exercise due care when opening emails from unexpected or unlikely sources. Also, in most cases office macros should be disabled by default to limit the effectiveness of this threat.


SHA256 Filename
f2f573af0f76fe0f21bbe630a4bb50b1c1836eb24429bfb8c93673276f27e374 President.doc
F04DC1AECF9E81807433F81D5BCBAB87AFF45121A61E130A1A3FAF0E3C6556EE OfficeService.html
ABD822964683695B5CF3700E757054B881A39AA77423AF39428B80BCFAD69C49 OfficeService.ini

Daniel Bohannan

Cybersecurity Support